Can I create a reset condition based off a syslog message?

routermonkey

I've created an alert triggered by receiving a syslog message from a Palo firewall (path monitoring, let's us know when the local guest internet connection fails)  Engineers would like to also get a message that would indicate that the path is valid again.

Can I create an alert reset condition based off a 2nd syslog message?  Or is the only option to create a 2nd alert that is triggered off the 2nd syslog message (basically having an UP alert and a DOWN alert)  If I have to go this route, is there a way to get the 2nd message/alert to reset the first alert?

KMSigma.SWI

I can't test this, but I think you can probably create two "alerts" in Log Analyzer.

In the Log Analyzer rules:

1. Create a rule for whatever you need for a "down" trigger.  Have Log Analyzer build you an Orion Alert from there. (Keep the rule disabled for the time being)
2. Build a second on whatever you need for an "up" (reset) trigger.  Have Log Analyzer also build an Orion Alert. (Keep the rule disabled for the time being)

In the Orion Alerts:

1. Edit the Orion Alert for the "down" rule. (You can delete the Orion "Alert" for the up rule)
2. Trigger Conditions Tab should look something like this:
   
3. Go to the Reset Conditions tab.
4. Move the selector to "Create a special reset condition for this alert"
5. Click the "Add Conditions" drop-down and select "Copy condition from trigger."
6. Edit the alert condition by selecting the "up" rule name from the Log Analyzer rules.
7. The Reset Conditions Tab should look something like this:

My head says this will work based on the logic, but I cannot be 100% sure without being able to test it, which I cannot because I don't have the devices in my environment.